Re: [PLUG] https Certificates Question

Jonathan Simpson on 10 Jul 2013 05:36:31 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] https Certificates Question

From: Jonathan Simpson <jonathan@jdsnetwork.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] https Certificates Question
Date: Wed, 10 Jul 2013 08:36:25 -0400
Reply-to: jonathan@jdsnetwork.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7

If you're worried about IE users, make sure you test inIE6/xp if possible as well. It may not be as up to date asfar as having certs included, and there are sadly still alot of users running it.

On 7/10/2013 8:34 AM, Mail List wrote:

On Wed, 10 Jul 2013 07:40:45 -0400, David Coulson <david@davidcoulson.net>
wrote:

On 7/10/13 7:35 AM, Mail List wrote:

I need to set up one of my apache web servers as a secure server with
https protocol.

I'm wondering about the costs and potential pitfalls in doing so.

What is the business case for SSL? Not to say you do it no matter the
cost, but in general if you need SSL there is justification to pay for
the cert.

I'm writing a web application that will have personal data.  The user will
log in with a password, and then enter data of a personal nature into forms
on the web page.

My user base will be very unsophisticated, so any type of scary
"certificate may not be valid" popup message would be unacceptable.   I
don't care about the groovy logo, since that won't drive any sales revenue.

Basically, I need to safeguard customer's data, and make the safeguarding
transparent to them.

So I guess I'll start with a one of the free certificates (startssl.com or
comodo.com) and see how they work.  If I don't get any scary maessages when
using IE, I'm probably good to go.


Thanks to all for the comments and help!

A quick web search has found that commercial certificates from the "big
guys" are around $250/year.  However, I see that CAcert offers
certificates
for free.

CAcert isn't a universally trusted certificate authority, as they have
not gone through the same certification/auditing process as the large
commercial vendors. In general, I would never run anything production
using their certificates.

Can anyone point me to a good primer/reference for this, or let me know
how you fared establishing a secure web server?

I just buy certificates from Verisign (now Symantec). Maybe $500/yr for
a 'normal' cert, but never had any issues.

there is a smaller vendor - startssl.org - who offer free certificates,
but not sure how widely they are supported. Comodo keep trying to sell
me stuff, and they are pretty cheap - Think they got compromised a while
ago, so we've avoided them.


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] https Certificates Question
  - From: Tim Allen <flipper@peregrinesalon.com>

References:
- [PLUG] https Certificates Question
  - From: Mail List <maillist@NerdWorld.org>
- Re: [PLUG] https Certificates Question
  - From: David Coulson <david@davidcoulson.net>
- Re: [PLUG] https Certificates Question
  - From: Mail List <maillist@NerdWorld.org>

Prev by Date: Re: [PLUG] https Certificates Question
Next by Date: Re: [PLUG] https Certificates Question
Previous by thread: Re: [PLUG] https Certificates Question
Next by thread: Re: [PLUG] https Certificates Question
Index(es):
- Date
- Thread